Django forms - how necessary is a CAPTCHA?

I have a general question about Django forms (specifically, a contact form) when it comes to s开发者_如何学Cecurity precautions. Should I use a CAPTCHA? Do forms written with Python not suffer the same problems as PHP ones?

Django forms have built in protection against CSRF (a.k.a. XSRF), which is a kind of attack that allows a hacker to post stuff to your site without the logged in user meaning to. PHP doesn't.

Captchas will protect against CSRF, but they're more normally used to protect against robots filling out your form without a human involved.

So it depends what you're trying to protect against. If you want to reduce spam or similar mischeif, use a Captcha as you would in PHP. If all you're worried about is CSRF, then don't bother.

I ran a Django site for several years. Our feedback form got a couple of submissions per week from bots. The captcha stopped that. I suspect that the rate of bot submissions is highly variable and depends on the content of your site.

Whether or not to use a captcha comes down to a trade-off between convenience for your users vs your tolerance for junk submissions.